----- Original Message -----
From: croilan cruz
To: [email protected]
Sent: Friday, September 15, 2006 12:31 PM
Subject: [plug] re:squid-http
inquiry about squid proxy , if you gonna set up squid in a box that
has a firewall thus squid look like this when you enter the command
nmap -sT ip of the firewall with squidp proxy.
3128/tcp open squid-http
does this output has something to do with open proxy?
yes if you dont have any access control list (ACL) in your squid.conf to
deny bad ip and allow good ip...
allow me to explain how nmap derived an open, closed and filtered port...
in tcp.. to established a connection... it must do the three-way handshake
first... the client send SYN packet to the server... server SYN/ACK to the
client and the client ACK it....
client --->>> SYN --->>> server
client <<<--- SYN/ACK <<<--- server
client --->>> ACK --->>> server
nmap reported "open" port if it is completed the three-way handshake...
nmap reported "filtered" port if the server doesnt reply any tcp packet
(SYN/ACK for this matter) back to the client until the client's tcp timer
expired... the client here is the nmap... usually the server didnt reply due
to a firewall rule that dropping the packet on a particular port before
reaching the server's tcp stack...
nmap reported "closed" port if the client sees an RST packet from the
server.... a client trying to SYN a server port that is not in listening
mode wlll reply a RST packet...
in the above nmap's results (3128/tcp open squid-http)... it is clearly
indicated that there is no layer 3 firewall implemented... even if the
status is open... it doesnt mean that you are open to proxy relay.... lets
us examine layer 7 firewall where squid's ACL is doing that....
for squid to be able to know the ip address of the client in order to
compare to its ACL rules... squid must establish a tcp connection first (the
three-way handshake thing and nmap reported it as open port)... once
established (after the accept(2) function called)... squid read the socket's
descriptor where the client ip addres is in there and compare it to its ACL
rules... if it is allow to access or not....
in that way, be it inside or outside of your network sees an open port but
you implemented ACL in squid.conf.... you are safe from open relay...
fooler.
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
